Video Screencast Help
Security Response
Showing posts in English
Amado Hidalgo | 21 Aug 2006 07:00:00 GMT | 0 comments

These days it is quite common to receive bogus email alerts purporting to come from security companies, informing you about some apparent infection on your computer and telling you to install software or an update (attached to the email) to clean your computer. We have all seen them and now, most of us simply ignore them. In most cases, helpful spam filtering software makes sure we are not bothered by them.

Less frequently we see Web sites built with the sole purpose of distributing malicious code. In some cases the fraudulent sites imitate the alert pages of a legitimate security company with the hope of tricking unsuspecting users into downloading malicious code. The level of credibility of these Web sites varies, but in most cases they contain logos, colors, and other (copyrighted) branding details ripped off from the legitimate site. This makes them somewhat harder for the casual or misinformed web user to detect, when they are, in fact, phony. In more sophisticated...

Masaki Suenaga | 18 Aug 2006 07:00:00 GMT | 0 comments

Traditional key loggers are used to capture key strokes or parameters of WM_CHAR window messages. A key logger is usually good enough to decipher what is input by the user if the language is English, French, Russian, Arabic, Thai and so on. However, people in China, Japan, and Korea often have to input thousands of different kinds of characters, known as Chinese characters, Hiragana and Katakana, and Hangeul, while the PC has only 100 keys on the keyboard. That is why input method editors (IME) exist for these languages.

In order to input one special character through an IME, we need to type between one and six keys. Basically, we type the reading of the string (or parts of Hangeul in Korean) to obtain the converted strings. But, a reading can end up with multiple versions of the converted strings, which requires the user to ultimately determine the converted string. This final string is called the “result string” of an IME. Another IME-related technique can be found...

Marc Fossi | 18 Aug 2006 07:00:00 GMT | 0 comments

Typosquatting has been around for a while.For those not familiar with the term, it refers to the practice ofregistering a domain name similar to that of a legitimate Web site (forexample, symantc.com instead of symantec.com). The idea is that whenyou type the name of a site into your Web browser, there’s a chanceyou’ll make a typo, which results in you being taken to the squatter’ssite instead of the legitimate site. The squatter’s site may be a pageloaded with ads that generate revenue for them, a page that exploits abrowser vulnerability to load malicious code, adware, or spyware ontoyour computer, or a phishing site designed to look like the site youmeant to go to.

To fight typosquatting, many companieshave begun registering domain names based on common typos in theiractual names. For example, if you type gooogle.com into your browser,you’ll be redirected to google.com. Now, this works for typos withinthe domain name itself, but what if you leave the ‘o’ out of .com...

Ollie Whitehouse | 17 Aug 2006 07:00:00 GMT | 0 comments

With the advent of the Symbian mobile operating system we have been introduced to several new descriptors for different types of variables. These descriptors are used when writing software with Symbian's C++ API and are not standard C-style strings, but instead “classes” that perform strict type and length checking. These classes are designed to protect against buffer overflows and general memory corrupt bugs, among other things.

While this design is helpful because it stops overflows from overwriting the stack and heap, developers could develop a false sense of security. For what traditionally would have been a vulnerability that leads to arbitrary code execution, it is now potentially a vulnerability that causes a denial of service (DoS) condition.

Take the following code snippet as an example:

TBuf<5> Buf; //5 char buffer
_LIT(Boof,"AAAAAAAAAA"); // 10 chars
Buf.Copy(Boof); // Attempt to overflow

...
John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Office exploits used to drop Trojan horses on affected systems. The release of the exploits had been timed so that when Microsoft released their patches, a zero-day exploit surfaced the next day. The timing of these releases was noted by Symantec Security Response and it was speculated that the people behind these exploits had discovered multiple vulnerabilities in Microsoft Office and were holding back on releasing them, in order to maximize the time-to-patch for each of their finds.

Today, we have seen another targeted attack on a document editing suite; however, this time around it is Justsystem's Ichitaro. Ichitaro is a word processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute its code on the system, dropping and executing a Trojan horse named Backdoor.Papi. When run, Backdoor.Papi copies itself to the %system% directory, creates a service named CAPAPI...

John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Officeexploits used to drop Trojan horses on affected systems. The release ofthe exploits had been timed so that when Microsoft released theirpatches, a zero-day exploit surfaced the next day. The timing of thesereleases was noted by Symantec Security Response and it was speculatedthat the people behind these exploits had discovered multiplevulnerabilities in Microsoft Office and were holding back on releasingthem, in order to maximize the time-to-patch for each of their finds.

Today,we have seen another targeted attack on a document editing suite;however, this time around it is Justsystem's Ichitaro. Ichitaro is aword processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute itscode on the system, dropping and executing a Trojan horse namedBackdoor.Papi. When run, Backdoor.Papi copies itself to the %system%directory, creates a service named CAPAPI, and drops...

Peter Ferrie | 16 Aug 2006 07:00:00 GMT | 0 comments

In February of this year, Virus Bulletin published one of my articlesin which I was speculating about the meaning of a message that acertain virus was displaying. My questions were in regard to the W32.Idonus virusand more specifically, the word "Genetix" that was displayed. Whenexecuted, the virus randomly (a one in 1,983 chance) chose whether ornot to display the message “GeNeTiX is EVIL!”

In the VirusBulletin article I suggested that “Genetix” could be referring to aparticular molecular biology company, an anti-GMO food organization, orperhaps something else entirely. Well, as it turned out, the term“Genetix” was actually referring to a person. Not just any person, itseems, but the actual virus writer. In an attempt to make this clear,the virus writer has created a new virus (...

Symantec Security Response | 14 Aug 2006 07:00:00 GMT | 0 comments

In an earlier blog regardingMicrosoft’s recent vulnerability announcement, MS06-040 (Server servicevulnerability) was discussed, along with how this issue would beexploitable for worm-based attacks. Although there were samples ofproof-of-concept exploits released last week, it was pretty quiet onthis front, until now. We have now seen our first real, in-the-wildstyle attack leveraging MS06-040.

Here's what we know so far:
• On August 12, 2006 Symantec Security Response detected a new exploitbased on MS06-040, dubbed W32.Wargbot. This is a network-aware wormthat leverages the described vulnerability to spread itself onvulnerable machines. Once on the compromised machine, W32.Wargbot thenproceeds to open an IRC backdoor.
• In response to this new attack, Symantec has released AV signaturesspecific to W32.Wargbot; however,...

Robert Keith | 11 Aug 2006 07:00:00 GMT | 0 comments

As a vulnerability analyst, I need togather as much information as I can on new or existing vulnerabilities.Part of my job is to scour vendor security sites, public disclosurelists, and other security-related sites looking for security-relatedinformation. In the process I often come across messages, emails, orblog entries etc. that are, to me at least, quite amusing. Typically,these messages tend to be from application authors declaring that theirapplication “can’t have vulnerabilities” or, that “it just isn’tpossible”. The arguments are often made that the programmer is eithertoo reputable, or the software that they’ve developed has check uponcheck, making it impossible for the application to havevulnerabilities. Of course, no one wants to hear that something theyhave created has bugs or security holes, but more often than not,unfortunately it does. More likely, the case isn’t that the applicationis not vulnerable, but the author themselves may not understand...

Brian Hernacki | 10 Aug 2006 07:00:00 GMT | 0 comments

In a previous blog I wrote about security in municipal Wi-Fi networks and talked about what I called network identification. I wanted to talk a little more about that now. I think this is actually one of the hardest problems to deal with.

Just to recap, the problem is that when you attempt to connect to a wireless network, you do so based on the network name (the SSID). That name, however, is a very poor identifier. The administrator of the access point can name it whatever they like. So, if I want to setup an access point and name it "GoogleWi-Fi", I can. And now when anyone in range attempts to connect to a wireless network they will see one called "GoogleWi-Fi". So, how do you know who you're connecting to?

People have suggested a number of approaches. I've heard some suggestions around educating users about what names...